Wireshark mailing list archives

tcpdump forum ?

From: "Aktuna, Ilker, Vodafone Turkey" <ilker.aktuna () vodafone com>
Date: Mon, 27 Aug 2012 12:11:01 +0000

Hi,

Unfortunately, I couldn't find a forum/mailing list about tcpdump. That's why I'd like to ask my question here, as most 
of the Wireshark users are using tcpdump for capturing traffic.
If this is not suitable, please point me to a forum where I could ask about tcpdump.

Now, my problem is about tcpdump getting only one way traffic if used with a filter. On the server that I use tcpdump, 
there is libpcap 0.9.4 and tcpdump 3.9.4.
Normally if I take captures without filter, I can receive 2 way SIP traffic. However, if I put a capture filter like 
"port 5060" , I can only receive one way traffic in the file created.

In fact, I know why this happens; the SIP traffic is tunneled with ip protocol 4 (ipip) in one way. So, if I put a 
filter "port 5060" that doesn't cover "udp packets under ip protocol 4". How can I solve this issue ?

Previously, I had another server with different versions of libpcap and tcpdump. Then I was able to capture both way 
traffic for the same SIP proxy.
I assume that was because of the tcpdump or libpcap version but I don't remember which version they were. I also tried 
with tcpdump version 4.3.0 and lipcap 1.3.0. They produce the same result with currently installed 3.94/0.9.4

To make you better understand the problem , this is how it looks like if I don't put a capture filter:

15:09:21.908057 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 526
15:09:21.908065 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 526
15:09:21.910438 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 552
15:09:21.910448 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 552
15:09:21.961323 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 408 (ipip-proto-4)
15:09:21.961327 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 408 (ipip-proto-4)
15:09:21.983076 IP 10.8.8.114 > 10.8.8.118: IP 10.34.73.120.5072 > 10.8.8.97.5060: SIP, length: 536 (ipip-proto-4)
15:09:21.983079 IP 10.8.8.114 > 10.8.8.118: IP 10.34.73.120.5072 > 10.8.8.97.5060: SIP, length: 536 (ipip-proto-4)
15:09:22.015179 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 398 (ipip-proto-4)
15:09:22.015184 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 398 (ipip-proto-4)


Thanks,
ilker

Yasal Uyar? :
Bu elektronik posta i?bu linki kullanarak ula?abilece?iniz Ko?ul ve ?artlar dokuman?na tabidir
http://www.vodafone.com.tr/VodafoneHakkinda/eposta-hukuki-sartlar.php

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Aug 27)
- Re: tcpdump forum ? Guy Harris (Aug 27)
  - Re: tcpdump forum ? Sake Blok (Aug 27)
    - Re: tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Aug 28)
    - Re: tcpdump forum ? Sake Blok (Aug 28)
    - Re: tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Aug 28)
    - Re: tcpdump forum ? Sake Blok (Aug 29)
    - Re: tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Aug 30)